Bug 847426

Summary:	Problems with tmux scripts with unconfined disabled
Product:	[Fedora] Fedora	Reporter:	Robin Powell <rlpowell>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	15	CC:	dominick.grift, dwalsh, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-08-13 19:29:15 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robin Powell 2012-08-11 05:02:00 UTC

Let me know if this is fixed in a more recent release.

I've bound the following script to a tmux key, to trim whitespace in stuff in the tmux buffer:

- ----------------


#!/bin/sh -e

sep="$1"

rm -f /tmp/rlp_tmux_buf
tmux save-buffer -b 0 /tmp/rlp_tmux_buf
if [ "$sep" ]
then
  cat /tmp/rlp_tmux_buf | sed 's/^ *//' | tr '\012' "$sep" >/tmp/rlp_tmux_buf.tmp
else
  cat /tmp/rlp_tmux_buf  | sed 's/^ *//' | tr -d '\012' >/tmp/rlp_tmux_buf.tmp
fi
tmux load-buffer -b 18 /tmp/rlp_tmux_buf.tmp
tmux paste-buffer -b 18
rm /tmp/rlp_tmux_buf /tmp/rlp_tmux_buf.tmp

- -----------------

This works fine with setenforce 0, but with 1 it:


----
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { noatsecure } for  pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { siginh } for  pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { rlimitinh } for  pid=32042 comm=sh scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(08/10/2012 21:29:02.372:479026) : avc:  denied  { read write } for  pid=32042 comm=sh path=socket:[7581390] dev=sockfs ino=7581390 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_screen_t:s0 tclass=unix_stream_socket
----
type=AVC msg=audit(08/10/2012 21:29:02.430:479029) : avc:  denied  { getattr } for  pid=32043 comm=rm path=/tmp/rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file
----
type=AVC msg=audit(08/10/2012 21:29:02.431:479030) : avc:  denied  { unlink } for  pid=32043 comm=rm name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file

(had dontaudit off).

audit2allow says:


#============= staff_t ==============
allow staff_t screen_tmp_t:file { getattr unlink };
allow staff_t staff_screen_t:unix_stream_socket { read write };

which looks remarkably inoffensive to me, but I'm *way* out of practice at this game.  What say you?

-Robin

Comment 1 Robin Powell 2012-08-11 15:56:15 UTC

Whoops, missed some; like I said, it's been way too long.


----
type=AVC msg=audit(08/11/2012 08:24:28.812:533383) : avc:  denied  { open } for  pid=1364 comm=tmux name=rlp_tmux_buf.tmp dev=vda2 ino=140555 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(08/11/2012 08:24:28.812:533383) : avc:  denied  { read } for  pid=1364 comm=tmux name=rlp_tmux_buf.tmp dev=vda2 ino=140555 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
----
type=AVC msg=audit(08/11/2012 08:24:28.702:533380) : avc:  denied  { open } for  pid=30054 comm=cat name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file
type=AVC msg=audit(08/11/2012 08:24:28.702:533380) : avc:  denied  { read } for  pid=30054 comm=cat name=rlp_tmux_buf dev=vda2 ino=131116 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:object_r:screen_tmp_t:s0 tclass=file

So the whole version is:


policy_module(mytmuxscripts,1.0.0)

require {                                                                                                                                                                                                  type staff_t;
        type staff_screen_t;
        type screen_tmp_t;
        type user_tmp_t;                                                                                                                                                                                   class file { getattr unlink read open };
        class unix_stream_socket { read write };                                                                                                                                                   }

#============= staff_t ==============                                                                                                                                                              allow staff_t screen_tmp_t:file { getattr unlink };
allow staff_t staff_screen_t:unix_stream_socket { read write };
allow staff_t screen_tmp_t:file { read open };

#============= staff_screen_t ==============
allow staff_screen_t user_tmp_t:file { read open };

Comment 2 Daniel Walsh 2012-08-13 19:29:15 UTC

I have checked in fixes for this in F18, Since F15 is no longer supported I am closing this with a fixed in rawhide 

Fixed in selinux-policy-3.11.1-6.fc18.noarch